cobaltstrike | bbcfdb3009ea90aca6b1e9d7d857b8586cdf5eaae9ffb875d9cf43cb30b10179

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
25-05-2024 06:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-25_0fed54f0a437bce1dfca7e069699c383_cobalt-strike_cobaltstrike.exe
Size

5.2MB
MD5

0fed54f0a437bce1dfca7e069699c383
SHA1

e8d1102ce2f84a2b960c2a0744206223501cdaf7
SHA256

bbcfdb3009ea90aca6b1e9d7d857b8586cdf5eaae9ffb875d9cf43cb30b10179
SHA512

5012aae5420aa8148c5800c935b7811f268f8f6c9bc07e32ee18dab7364eeee601ef06f06e695988fd856b068c2fe3ad8a71f1946c329a9f632047e07c360ee0
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lf:RWWBibf56utgpPFotBER/mQ32lUT

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\UciGZTC.exe	cobalt_reflective_dll
C:\Windows\System\DmyTiEy.exe	cobalt_reflective_dll
C:\Windows\System\FTaexbL.exe	cobalt_reflective_dll
C:\Windows\System\raEMhML.exe	cobalt_reflective_dll
C:\Windows\System\kzPGKZV.exe	cobalt_reflective_dll
C:\Windows\System\kGFyiDP.exe	cobalt_reflective_dll
C:\Windows\System\dVvAiHW.exe	cobalt_reflective_dll
C:\Windows\System\orTDJSX.exe	cobalt_reflective_dll
C:\Windows\System\isLRlgm.exe	cobalt_reflective_dll
C:\Windows\System\bjjNVVc.exe	cobalt_reflective_dll
C:\Windows\System\nXfYaSs.exe	cobalt_reflective_dll
C:\Windows\System\MvxwsrQ.exe	cobalt_reflective_dll
C:\Windows\System\ptzoETj.exe	cobalt_reflective_dll
C:\Windows\System\topJOnD.exe	cobalt_reflective_dll
C:\Windows\System\qThnJVl.exe	cobalt_reflective_dll
C:\Windows\System\GnCklYQ.exe	cobalt_reflective_dll
C:\Windows\System\MRFeMyt.exe	cobalt_reflective_dll
C:\Windows\System\HFnxLjb.exe	cobalt_reflective_dll
C:\Windows\System\IPXRGCg.exe	cobalt_reflective_dll
C:\Windows\System\xUzWTIq.exe	cobalt_reflective_dll
C:\Windows\System\pcBZtCO.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
C:\Windows\System\UciGZTC.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\DmyTiEy.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\FTaexbL.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\raEMhML.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\kzPGKZV.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\kGFyiDP.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\dVvAiHW.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\orTDJSX.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\isLRlgm.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\bjjNVVc.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\nXfYaSs.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\MvxwsrQ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ptzoETj.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\topJOnD.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\qThnJVl.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\GnCklYQ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\MRFeMyt.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\HFnxLjb.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\IPXRGCg.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\xUzWTIq.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\pcBZtCO.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1064-0-0x00007FF74DF10000-0x00007FF74E261000-memory.dmp	UPX
C:\Windows\System\UciGZTC.exe	UPX
C:\Windows\System\DmyTiEy.exe	UPX
behavioral2/memory/1040-11-0x00007FF71C8D0000-0x00007FF71CC21000-memory.dmp	UPX
behavioral2/memory/3816-14-0x00007FF79F930000-0x00007FF79FC81000-memory.dmp	UPX
C:\Windows\System\FTaexbL.exe	UPX
C:\Windows\System\raEMhML.exe	UPX
behavioral2/memory/3036-26-0x00007FF7B73B0000-0x00007FF7B7701000-memory.dmp	UPX
C:\Windows\System\kzPGKZV.exe	UPX
C:\Windows\System\kGFyiDP.exe	UPX
behavioral2/memory/4772-34-0x00007FF6BFA30000-0x00007FF6BFD81000-memory.dmp	UPX
behavioral2/memory/4948-25-0x00007FF737920000-0x00007FF737C71000-memory.dmp	UPX
C:\Windows\System\dVvAiHW.exe	UPX
behavioral2/memory/3060-38-0x00007FF77A7A0000-0x00007FF77AAF1000-memory.dmp	UPX
behavioral2/memory/4204-44-0x00007FF77A500000-0x00007FF77A851000-memory.dmp	UPX
C:\Windows\System\orTDJSX.exe	UPX
C:\Windows\System\isLRlgm.exe	UPX
C:\Windows\System\bjjNVVc.exe	UPX
behavioral2/memory/2924-65-0x00007FF71FC20000-0x00007FF71FF71000-memory.dmp	UPX
behavioral2/memory/408-70-0x00007FF7D1BF0000-0x00007FF7D1F41000-memory.dmp	UPX
C:\Windows\System\nXfYaSs.exe	UPX
behavioral2/memory/1040-76-0x00007FF71C8D0000-0x00007FF71CC21000-memory.dmp	UPX
C:\Windows\System\MvxwsrQ.exe	UPX
C:\Windows\System\ptzoETj.exe	UPX
C:\Windows\System\topJOnD.exe	UPX
C:\Windows\System\qThnJVl.exe	UPX
C:\Windows\System\GnCklYQ.exe	UPX
C:\Windows\System\MRFeMyt.exe	UPX
C:\Windows\System\HFnxLjb.exe	UPX
C:\Windows\System\IPXRGCg.exe	UPX
C:\Windows\System\IPXRGCg.exe	UPX
C:\Windows\System\xUzWTIq.exe	UPX
behavioral2/memory/1436-79-0x00007FF7B4130000-0x00007FF7B4481000-memory.dmp	UPX
behavioral2/memory/3004-78-0x00007FF6E7B20000-0x00007FF6E7E71000-memory.dmp	UPX
behavioral2/memory/1064-75-0x00007FF74DF10000-0x00007FF74E261000-memory.dmp	UPX
behavioral2/memory/4552-66-0x00007FF6604B0000-0x00007FF660801000-memory.dmp	UPX
C:\Windows\System\pcBZtCO.exe	UPX
behavioral2/memory/4008-48-0x00007FF678690000-0x00007FF6789E1000-memory.dmp	UPX
behavioral2/memory/3152-122-0x00007FF7A70C0000-0x00007FF7A7411000-memory.dmp	UPX
behavioral2/memory/3916-123-0x00007FF75D190000-0x00007FF75D4E1000-memory.dmp	UPX
behavioral2/memory/368-124-0x00007FF7D36B0000-0x00007FF7D3A01000-memory.dmp	UPX
behavioral2/memory/4376-125-0x00007FF6AEBD0000-0x00007FF6AEF21000-memory.dmp	UPX
behavioral2/memory/1384-127-0x00007FF7BB250000-0x00007FF7BB5A1000-memory.dmp	UPX
behavioral2/memory/5052-129-0x00007FF673500000-0x00007FF673851000-memory.dmp	UPX
behavioral2/memory/3364-128-0x00007FF7A9E00000-0x00007FF7AA151000-memory.dmp	UPX
behavioral2/memory/4144-126-0x00007FF6DDD10000-0x00007FF6DE061000-memory.dmp	UPX
behavioral2/memory/1064-130-0x00007FF74DF10000-0x00007FF74E261000-memory.dmp	UPX
behavioral2/memory/4772-135-0x00007FF6BFA30000-0x00007FF6BFD81000-memory.dmp	UPX
behavioral2/memory/408-141-0x00007FF7D1BF0000-0x00007FF7D1F41000-memory.dmp	UPX
behavioral2/memory/1436-143-0x00007FF7B4130000-0x00007FF7B4481000-memory.dmp	UPX
behavioral2/memory/4204-137-0x00007FF77A500000-0x00007FF77A851000-memory.dmp	UPX
behavioral2/memory/3816-132-0x00007FF79F930000-0x00007FF79FC81000-memory.dmp	UPX
behavioral2/memory/3004-142-0x00007FF6E7B20000-0x00007FF6E7E71000-memory.dmp	UPX
behavioral2/memory/4008-138-0x00007FF678690000-0x00007FF6789E1000-memory.dmp	UPX
behavioral2/memory/1064-152-0x00007FF74DF10000-0x00007FF74E261000-memory.dmp	UPX
behavioral2/memory/1040-197-0x00007FF71C8D0000-0x00007FF71CC21000-memory.dmp	UPX
behavioral2/memory/3816-199-0x00007FF79F930000-0x00007FF79FC81000-memory.dmp	UPX
behavioral2/memory/4948-207-0x00007FF737920000-0x00007FF737C71000-memory.dmp	UPX
behavioral2/memory/3036-209-0x00007FF7B73B0000-0x00007FF7B7701000-memory.dmp	UPX
behavioral2/memory/4772-212-0x00007FF6BFA30000-0x00007FF6BFD81000-memory.dmp	UPX
behavioral2/memory/3060-213-0x00007FF77A7A0000-0x00007FF77AAF1000-memory.dmp	UPX
behavioral2/memory/4204-215-0x00007FF77A500000-0x00007FF77A851000-memory.dmp	UPX
behavioral2/memory/4008-217-0x00007FF678690000-0x00007FF6789E1000-memory.dmp	UPX
behavioral2/memory/2924-219-0x00007FF71FC20000-0x00007FF71FF71000-memory.dmp	UPX

XMRig Miner payload 46 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/3036-26-0x00007FF7B73B0000-0x00007FF7B7701000-memory.dmp	xmrig
behavioral2/memory/4948-25-0x00007FF737920000-0x00007FF737C71000-memory.dmp	xmrig
behavioral2/memory/3060-38-0x00007FF77A7A0000-0x00007FF77AAF1000-memory.dmp	xmrig
behavioral2/memory/4204-44-0x00007FF77A500000-0x00007FF77A851000-memory.dmp	xmrig
behavioral2/memory/2924-65-0x00007FF71FC20000-0x00007FF71FF71000-memory.dmp	xmrig
behavioral2/memory/1040-76-0x00007FF71C8D0000-0x00007FF71CC21000-memory.dmp	xmrig
behavioral2/memory/1064-75-0x00007FF74DF10000-0x00007FF74E261000-memory.dmp	xmrig
behavioral2/memory/4552-66-0x00007FF6604B0000-0x00007FF660801000-memory.dmp	xmrig
behavioral2/memory/3152-122-0x00007FF7A70C0000-0x00007FF7A7411000-memory.dmp	xmrig
behavioral2/memory/3916-123-0x00007FF75D190000-0x00007FF75D4E1000-memory.dmp	xmrig
behavioral2/memory/368-124-0x00007FF7D36B0000-0x00007FF7D3A01000-memory.dmp	xmrig
behavioral2/memory/4376-125-0x00007FF6AEBD0000-0x00007FF6AEF21000-memory.dmp	xmrig
behavioral2/memory/1384-127-0x00007FF7BB250000-0x00007FF7BB5A1000-memory.dmp	xmrig
behavioral2/memory/5052-129-0x00007FF673500000-0x00007FF673851000-memory.dmp	xmrig
behavioral2/memory/3364-128-0x00007FF7A9E00000-0x00007FF7AA151000-memory.dmp	xmrig
behavioral2/memory/4144-126-0x00007FF6DDD10000-0x00007FF6DE061000-memory.dmp	xmrig
behavioral2/memory/1064-130-0x00007FF74DF10000-0x00007FF74E261000-memory.dmp	xmrig
behavioral2/memory/4772-135-0x00007FF6BFA30000-0x00007FF6BFD81000-memory.dmp	xmrig
behavioral2/memory/408-141-0x00007FF7D1BF0000-0x00007FF7D1F41000-memory.dmp	xmrig
behavioral2/memory/1436-143-0x00007FF7B4130000-0x00007FF7B4481000-memory.dmp	xmrig
behavioral2/memory/4204-137-0x00007FF77A500000-0x00007FF77A851000-memory.dmp	xmrig
behavioral2/memory/3816-132-0x00007FF79F930000-0x00007FF79FC81000-memory.dmp	xmrig
behavioral2/memory/3004-142-0x00007FF6E7B20000-0x00007FF6E7E71000-memory.dmp	xmrig
behavioral2/memory/4008-138-0x00007FF678690000-0x00007FF6789E1000-memory.dmp	xmrig
behavioral2/memory/1064-152-0x00007FF74DF10000-0x00007FF74E261000-memory.dmp	xmrig
behavioral2/memory/1040-197-0x00007FF71C8D0000-0x00007FF71CC21000-memory.dmp	xmrig
behavioral2/memory/3816-199-0x00007FF79F930000-0x00007FF79FC81000-memory.dmp	xmrig
behavioral2/memory/4948-207-0x00007FF737920000-0x00007FF737C71000-memory.dmp	xmrig
behavioral2/memory/3036-209-0x00007FF7B73B0000-0x00007FF7B7701000-memory.dmp	xmrig
behavioral2/memory/4772-212-0x00007FF6BFA30000-0x00007FF6BFD81000-memory.dmp	xmrig
behavioral2/memory/3060-213-0x00007FF77A7A0000-0x00007FF77AAF1000-memory.dmp	xmrig
behavioral2/memory/4204-215-0x00007FF77A500000-0x00007FF77A851000-memory.dmp	xmrig
behavioral2/memory/4008-217-0x00007FF678690000-0x00007FF6789E1000-memory.dmp	xmrig
behavioral2/memory/2924-219-0x00007FF71FC20000-0x00007FF71FF71000-memory.dmp	xmrig
behavioral2/memory/4552-221-0x00007FF6604B0000-0x00007FF660801000-memory.dmp	xmrig
behavioral2/memory/408-223-0x00007FF7D1BF0000-0x00007FF7D1F41000-memory.dmp	xmrig
behavioral2/memory/1436-225-0x00007FF7B4130000-0x00007FF7B4481000-memory.dmp	xmrig
behavioral2/memory/3916-228-0x00007FF75D190000-0x00007FF75D4E1000-memory.dmp	xmrig
behavioral2/memory/3152-229-0x00007FF7A70C0000-0x00007FF7A7411000-memory.dmp	xmrig
behavioral2/memory/368-231-0x00007FF7D36B0000-0x00007FF7D3A01000-memory.dmp	xmrig
behavioral2/memory/1384-237-0x00007FF7BB250000-0x00007FF7BB5A1000-memory.dmp	xmrig
behavioral2/memory/3364-239-0x00007FF7A9E00000-0x00007FF7AA151000-memory.dmp	xmrig
behavioral2/memory/5052-241-0x00007FF673500000-0x00007FF673851000-memory.dmp	xmrig
behavioral2/memory/4376-235-0x00007FF6AEBD0000-0x00007FF6AEF21000-memory.dmp	xmrig
behavioral2/memory/4144-234-0x00007FF6DDD10000-0x00007FF6DE061000-memory.dmp	xmrig
behavioral2/memory/3004-244-0x00007FF6E7B20000-0x00007FF6E7E71000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

UciGZTC.exeDmyTiEy.exeFTaexbL.exeraEMhML.exekzPGKZV.exekGFyiDP.exedVvAiHW.exepcBZtCO.exeorTDJSX.exebjjNVVc.exeisLRlgm.exenXfYaSs.exexUzWTIq.exeMvxwsrQ.exeIPXRGCg.exeHFnxLjb.exeMRFeMyt.exeGnCklYQ.exeptzoETj.exeqThnJVl.exetopJOnD.exe

pid	process
1040	UciGZTC.exe
3816	DmyTiEy.exe
4948	FTaexbL.exe
3036	raEMhML.exe
4772	kzPGKZV.exe
3060	kGFyiDP.exe
4204	dVvAiHW.exe
4008	pcBZtCO.exe
2924	orTDJSX.exe
4552	bjjNVVc.exe
408	isLRlgm.exe
3004	nXfYaSs.exe
1436	xUzWTIq.exe
3152	MvxwsrQ.exe
3916	IPXRGCg.exe
368	HFnxLjb.exe
4376	MRFeMyt.exe
4144	GnCklYQ.exe
1384	ptzoETj.exe
3364	qThnJVl.exe
5052	topJOnD.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1064-0-0x00007FF74DF10000-0x00007FF74E261000-memory.dmp	upx
C:\Windows\System\UciGZTC.exe	upx
C:\Windows\System\DmyTiEy.exe	upx
behavioral2/memory/1040-11-0x00007FF71C8D0000-0x00007FF71CC21000-memory.dmp	upx
behavioral2/memory/3816-14-0x00007FF79F930000-0x00007FF79FC81000-memory.dmp	upx
C:\Windows\System\FTaexbL.exe	upx
C:\Windows\System\raEMhML.exe	upx
behavioral2/memory/3036-26-0x00007FF7B73B0000-0x00007FF7B7701000-memory.dmp	upx
C:\Windows\System\kzPGKZV.exe	upx
C:\Windows\System\kGFyiDP.exe	upx
behavioral2/memory/4772-34-0x00007FF6BFA30000-0x00007FF6BFD81000-memory.dmp	upx
behavioral2/memory/4948-25-0x00007FF737920000-0x00007FF737C71000-memory.dmp	upx
C:\Windows\System\dVvAiHW.exe	upx
behavioral2/memory/3060-38-0x00007FF77A7A0000-0x00007FF77AAF1000-memory.dmp	upx
behavioral2/memory/4204-44-0x00007FF77A500000-0x00007FF77A851000-memory.dmp	upx
C:\Windows\System\orTDJSX.exe	upx
C:\Windows\System\isLRlgm.exe	upx
C:\Windows\System\bjjNVVc.exe	upx
behavioral2/memory/2924-65-0x00007FF71FC20000-0x00007FF71FF71000-memory.dmp	upx
behavioral2/memory/408-70-0x00007FF7D1BF0000-0x00007FF7D1F41000-memory.dmp	upx
C:\Windows\System\nXfYaSs.exe	upx
behavioral2/memory/1040-76-0x00007FF71C8D0000-0x00007FF71CC21000-memory.dmp	upx
C:\Windows\System\MvxwsrQ.exe	upx
C:\Windows\System\ptzoETj.exe	upx
C:\Windows\System\topJOnD.exe	upx
C:\Windows\System\qThnJVl.exe	upx
C:\Windows\System\GnCklYQ.exe	upx
C:\Windows\System\MRFeMyt.exe	upx
C:\Windows\System\HFnxLjb.exe	upx
C:\Windows\System\IPXRGCg.exe	upx
C:\Windows\System\IPXRGCg.exe	upx
C:\Windows\System\xUzWTIq.exe	upx
behavioral2/memory/1436-79-0x00007FF7B4130000-0x00007FF7B4481000-memory.dmp	upx
behavioral2/memory/3004-78-0x00007FF6E7B20000-0x00007FF6E7E71000-memory.dmp	upx
behavioral2/memory/1064-75-0x00007FF74DF10000-0x00007FF74E261000-memory.dmp	upx
behavioral2/memory/4552-66-0x00007FF6604B0000-0x00007FF660801000-memory.dmp	upx
C:\Windows\System\pcBZtCO.exe	upx
behavioral2/memory/4008-48-0x00007FF678690000-0x00007FF6789E1000-memory.dmp	upx
behavioral2/memory/3152-122-0x00007FF7A70C0000-0x00007FF7A7411000-memory.dmp	upx
behavioral2/memory/3916-123-0x00007FF75D190000-0x00007FF75D4E1000-memory.dmp	upx
behavioral2/memory/368-124-0x00007FF7D36B0000-0x00007FF7D3A01000-memory.dmp	upx
behavioral2/memory/4376-125-0x00007FF6AEBD0000-0x00007FF6AEF21000-memory.dmp	upx
behavioral2/memory/1384-127-0x00007FF7BB250000-0x00007FF7BB5A1000-memory.dmp	upx
behavioral2/memory/5052-129-0x00007FF673500000-0x00007FF673851000-memory.dmp	upx
behavioral2/memory/3364-128-0x00007FF7A9E00000-0x00007FF7AA151000-memory.dmp	upx
behavioral2/memory/4144-126-0x00007FF6DDD10000-0x00007FF6DE061000-memory.dmp	upx
behavioral2/memory/1064-130-0x00007FF74DF10000-0x00007FF74E261000-memory.dmp	upx
behavioral2/memory/4772-135-0x00007FF6BFA30000-0x00007FF6BFD81000-memory.dmp	upx
behavioral2/memory/408-141-0x00007FF7D1BF0000-0x00007FF7D1F41000-memory.dmp	upx
behavioral2/memory/1436-143-0x00007FF7B4130000-0x00007FF7B4481000-memory.dmp	upx
behavioral2/memory/4204-137-0x00007FF77A500000-0x00007FF77A851000-memory.dmp	upx
behavioral2/memory/3816-132-0x00007FF79F930000-0x00007FF79FC81000-memory.dmp	upx
behavioral2/memory/3004-142-0x00007FF6E7B20000-0x00007FF6E7E71000-memory.dmp	upx
behavioral2/memory/4008-138-0x00007FF678690000-0x00007FF6789E1000-memory.dmp	upx
behavioral2/memory/1064-152-0x00007FF74DF10000-0x00007FF74E261000-memory.dmp	upx
behavioral2/memory/1040-197-0x00007FF71C8D0000-0x00007FF71CC21000-memory.dmp	upx
behavioral2/memory/3816-199-0x00007FF79F930000-0x00007FF79FC81000-memory.dmp	upx
behavioral2/memory/4948-207-0x00007FF737920000-0x00007FF737C71000-memory.dmp	upx
behavioral2/memory/3036-209-0x00007FF7B73B0000-0x00007FF7B7701000-memory.dmp	upx
behavioral2/memory/4772-212-0x00007FF6BFA30000-0x00007FF6BFD81000-memory.dmp	upx
behavioral2/memory/3060-213-0x00007FF77A7A0000-0x00007FF77AAF1000-memory.dmp	upx
behavioral2/memory/4204-215-0x00007FF77A500000-0x00007FF77A851000-memory.dmp	upx
behavioral2/memory/4008-217-0x00007FF678690000-0x00007FF6789E1000-memory.dmp	upx
behavioral2/memory/2924-219-0x00007FF71FC20000-0x00007FF71FF71000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-05-25_0fed54f0a437bce1dfca7e069699c383_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\xUzWTIq.exe	2024-05-25_0fed54f0a437bce1dfca7e069699c383_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\HFnxLjb.exe	2024-05-25_0fed54f0a437bce1dfca7e069699c383_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\topJOnD.exe	2024-05-25_0fed54f0a437bce1dfca7e069699c383_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\DmyTiEy.exe	2024-05-25_0fed54f0a437bce1dfca7e069699c383_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\raEMhML.exe	2024-05-25_0fed54f0a437bce1dfca7e069699c383_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\nXfYaSs.exe	2024-05-25_0fed54f0a437bce1dfca7e069699c383_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\dVvAiHW.exe	2024-05-25_0fed54f0a437bce1dfca7e069699c383_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\bjjNVVc.exe	2024-05-25_0fed54f0a437bce1dfca7e069699c383_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\IPXRGCg.exe	2024-05-25_0fed54f0a437bce1dfca7e069699c383_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\MRFeMyt.exe	2024-05-25_0fed54f0a437bce1dfca7e069699c383_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\GnCklYQ.exe	2024-05-25_0fed54f0a437bce1dfca7e069699c383_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\UciGZTC.exe	2024-05-25_0fed54f0a437bce1dfca7e069699c383_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\FTaexbL.exe	2024-05-25_0fed54f0a437bce1dfca7e069699c383_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\kzPGKZV.exe	2024-05-25_0fed54f0a437bce1dfca7e069699c383_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\isLRlgm.exe	2024-05-25_0fed54f0a437bce1dfca7e069699c383_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ptzoETj.exe	2024-05-25_0fed54f0a437bce1dfca7e069699c383_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\qThnJVl.exe	2024-05-25_0fed54f0a437bce1dfca7e069699c383_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\MvxwsrQ.exe	2024-05-25_0fed54f0a437bce1dfca7e069699c383_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\kGFyiDP.exe	2024-05-25_0fed54f0a437bce1dfca7e069699c383_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\pcBZtCO.exe	2024-05-25_0fed54f0a437bce1dfca7e069699c383_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\orTDJSX.exe	2024-05-25_0fed54f0a437bce1dfca7e069699c383_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-05-25_0fed54f0a437bce1dfca7e069699c383_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	1064	2024-05-25_0fed54f0a437bce1dfca7e069699c383_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	1064	2024-05-25_0fed54f0a437bce1dfca7e069699c383_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-05-25_0fed54f0a437bce1dfca7e069699c383_cobalt-strike_cobaltstrike.exe

description	pid	process	target process
PID 1064 wrote to memory of 1040	1064	2024-05-25_0fed54f0a437bce1dfca7e069699c383_cobalt-strike_cobaltstrike.exe	UciGZTC.exe
PID 1064 wrote to memory of 1040	1064	2024-05-25_0fed54f0a437bce1dfca7e069699c383_cobalt-strike_cobaltstrike.exe	UciGZTC.exe
PID 1064 wrote to memory of 3816	1064	2024-05-25_0fed54f0a437bce1dfca7e069699c383_cobalt-strike_cobaltstrike.exe	DmyTiEy.exe
PID 1064 wrote to memory of 3816	1064	2024-05-25_0fed54f0a437bce1dfca7e069699c383_cobalt-strike_cobaltstrike.exe	DmyTiEy.exe
PID 1064 wrote to memory of 4948	1064	2024-05-25_0fed54f0a437bce1dfca7e069699c383_cobalt-strike_cobaltstrike.exe	FTaexbL.exe
PID 1064 wrote to memory of 4948	1064	2024-05-25_0fed54f0a437bce1dfca7e069699c383_cobalt-strike_cobaltstrike.exe	FTaexbL.exe
PID 1064 wrote to memory of 3036	1064	2024-05-25_0fed54f0a437bce1dfca7e069699c383_cobalt-strike_cobaltstrike.exe	raEMhML.exe
PID 1064 wrote to memory of 3036	1064	2024-05-25_0fed54f0a437bce1dfca7e069699c383_cobalt-strike_cobaltstrike.exe	raEMhML.exe
PID 1064 wrote to memory of 4772	1064	2024-05-25_0fed54f0a437bce1dfca7e069699c383_cobalt-strike_cobaltstrike.exe	kzPGKZV.exe
PID 1064 wrote to memory of 4772	1064	2024-05-25_0fed54f0a437bce1dfca7e069699c383_cobalt-strike_cobaltstrike.exe	kzPGKZV.exe
PID 1064 wrote to memory of 3060	1064	2024-05-25_0fed54f0a437bce1dfca7e069699c383_cobalt-strike_cobaltstrike.exe	kGFyiDP.exe
PID 1064 wrote to memory of 3060	1064	2024-05-25_0fed54f0a437bce1dfca7e069699c383_cobalt-strike_cobaltstrike.exe	kGFyiDP.exe
PID 1064 wrote to memory of 4204	1064	2024-05-25_0fed54f0a437bce1dfca7e069699c383_cobalt-strike_cobaltstrike.exe	dVvAiHW.exe
PID 1064 wrote to memory of 4204	1064	2024-05-25_0fed54f0a437bce1dfca7e069699c383_cobalt-strike_cobaltstrike.exe	dVvAiHW.exe
PID 1064 wrote to memory of 4008	1064	2024-05-25_0fed54f0a437bce1dfca7e069699c383_cobalt-strike_cobaltstrike.exe	pcBZtCO.exe
PID 1064 wrote to memory of 4008	1064	2024-05-25_0fed54f0a437bce1dfca7e069699c383_cobalt-strike_cobaltstrike.exe	pcBZtCO.exe
PID 1064 wrote to memory of 2924	1064	2024-05-25_0fed54f0a437bce1dfca7e069699c383_cobalt-strike_cobaltstrike.exe	orTDJSX.exe
PID 1064 wrote to memory of 2924	1064	2024-05-25_0fed54f0a437bce1dfca7e069699c383_cobalt-strike_cobaltstrike.exe	orTDJSX.exe
PID 1064 wrote to memory of 4552	1064	2024-05-25_0fed54f0a437bce1dfca7e069699c383_cobalt-strike_cobaltstrike.exe	bjjNVVc.exe
PID 1064 wrote to memory of 4552	1064	2024-05-25_0fed54f0a437bce1dfca7e069699c383_cobalt-strike_cobaltstrike.exe	bjjNVVc.exe
PID 1064 wrote to memory of 408	1064	2024-05-25_0fed54f0a437bce1dfca7e069699c383_cobalt-strike_cobaltstrike.exe	isLRlgm.exe
PID 1064 wrote to memory of 408	1064	2024-05-25_0fed54f0a437bce1dfca7e069699c383_cobalt-strike_cobaltstrike.exe	isLRlgm.exe
PID 1064 wrote to memory of 3004	1064	2024-05-25_0fed54f0a437bce1dfca7e069699c383_cobalt-strike_cobaltstrike.exe	nXfYaSs.exe
PID 1064 wrote to memory of 3004	1064	2024-05-25_0fed54f0a437bce1dfca7e069699c383_cobalt-strike_cobaltstrike.exe	nXfYaSs.exe
PID 1064 wrote to memory of 1436	1064	2024-05-25_0fed54f0a437bce1dfca7e069699c383_cobalt-strike_cobaltstrike.exe	xUzWTIq.exe
PID 1064 wrote to memory of 1436	1064	2024-05-25_0fed54f0a437bce1dfca7e069699c383_cobalt-strike_cobaltstrike.exe	xUzWTIq.exe
PID 1064 wrote to memory of 3152	1064	2024-05-25_0fed54f0a437bce1dfca7e069699c383_cobalt-strike_cobaltstrike.exe	MvxwsrQ.exe
PID 1064 wrote to memory of 3152	1064	2024-05-25_0fed54f0a437bce1dfca7e069699c383_cobalt-strike_cobaltstrike.exe	MvxwsrQ.exe
PID 1064 wrote to memory of 3916	1064	2024-05-25_0fed54f0a437bce1dfca7e069699c383_cobalt-strike_cobaltstrike.exe	IPXRGCg.exe
PID 1064 wrote to memory of 3916	1064	2024-05-25_0fed54f0a437bce1dfca7e069699c383_cobalt-strike_cobaltstrike.exe	IPXRGCg.exe
PID 1064 wrote to memory of 368	1064	2024-05-25_0fed54f0a437bce1dfca7e069699c383_cobalt-strike_cobaltstrike.exe	HFnxLjb.exe
PID 1064 wrote to memory of 368	1064	2024-05-25_0fed54f0a437bce1dfca7e069699c383_cobalt-strike_cobaltstrike.exe	HFnxLjb.exe
PID 1064 wrote to memory of 4376	1064	2024-05-25_0fed54f0a437bce1dfca7e069699c383_cobalt-strike_cobaltstrike.exe	MRFeMyt.exe
PID 1064 wrote to memory of 4376	1064	2024-05-25_0fed54f0a437bce1dfca7e069699c383_cobalt-strike_cobaltstrike.exe	MRFeMyt.exe
PID 1064 wrote to memory of 4144	1064	2024-05-25_0fed54f0a437bce1dfca7e069699c383_cobalt-strike_cobaltstrike.exe	GnCklYQ.exe
PID 1064 wrote to memory of 4144	1064	2024-05-25_0fed54f0a437bce1dfca7e069699c383_cobalt-strike_cobaltstrike.exe	GnCklYQ.exe
PID 1064 wrote to memory of 1384	1064	2024-05-25_0fed54f0a437bce1dfca7e069699c383_cobalt-strike_cobaltstrike.exe	ptzoETj.exe
PID 1064 wrote to memory of 1384	1064	2024-05-25_0fed54f0a437bce1dfca7e069699c383_cobalt-strike_cobaltstrike.exe	ptzoETj.exe
PID 1064 wrote to memory of 3364	1064	2024-05-25_0fed54f0a437bce1dfca7e069699c383_cobalt-strike_cobaltstrike.exe	qThnJVl.exe
PID 1064 wrote to memory of 3364	1064	2024-05-25_0fed54f0a437bce1dfca7e069699c383_cobalt-strike_cobaltstrike.exe	qThnJVl.exe
PID 1064 wrote to memory of 5052	1064	2024-05-25_0fed54f0a437bce1dfca7e069699c383_cobalt-strike_cobaltstrike.exe	topJOnD.exe
PID 1064 wrote to memory of 5052	1064	2024-05-25_0fed54f0a437bce1dfca7e069699c383_cobalt-strike_cobaltstrike.exe	topJOnD.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-25_0fed54f0a437bce1dfca7e069699c383_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-25_0fed54f0a437bce1dfca7e069699c383_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1064

C:\Windows\System\UciGZTC.exe
C:\Windows\System\UciGZTC.exe
2⤵
- Executes dropped EXE
PID:1040

C:\Windows\System\DmyTiEy.exe
C:\Windows\System\DmyTiEy.exe
2⤵
- Executes dropped EXE
PID:3816

C:\Windows\System\FTaexbL.exe
C:\Windows\System\FTaexbL.exe
2⤵
- Executes dropped EXE
PID:4948

C:\Windows\System\raEMhML.exe
C:\Windows\System\raEMhML.exe
2⤵
- Executes dropped EXE
PID:3036

C:\Windows\System\kzPGKZV.exe
C:\Windows\System\kzPGKZV.exe
2⤵
- Executes dropped EXE
PID:4772

C:\Windows\System\kGFyiDP.exe
C:\Windows\System\kGFyiDP.exe
2⤵
- Executes dropped EXE
PID:3060

C:\Windows\System\dVvAiHW.exe
C:\Windows\System\dVvAiHW.exe
2⤵
- Executes dropped EXE
PID:4204

C:\Windows\System\pcBZtCO.exe
C:\Windows\System\pcBZtCO.exe
2⤵
- Executes dropped EXE
PID:4008

C:\Windows\System\orTDJSX.exe
C:\Windows\System\orTDJSX.exe
2⤵
- Executes dropped EXE
PID:2924

C:\Windows\System\bjjNVVc.exe
C:\Windows\System\bjjNVVc.exe
2⤵
- Executes dropped EXE
PID:4552

C:\Windows\System\isLRlgm.exe
C:\Windows\System\isLRlgm.exe
2⤵
- Executes dropped EXE
PID:408

C:\Windows\System\nXfYaSs.exe
C:\Windows\System\nXfYaSs.exe
2⤵
- Executes dropped EXE
PID:3004

C:\Windows\System\xUzWTIq.exe
C:\Windows\System\xUzWTIq.exe
2⤵
- Executes dropped EXE
PID:1436

C:\Windows\System\MvxwsrQ.exe
C:\Windows\System\MvxwsrQ.exe
2⤵
- Executes dropped EXE
PID:3152

C:\Windows\System\IPXRGCg.exe
C:\Windows\System\IPXRGCg.exe
2⤵
- Executes dropped EXE
PID:3916

C:\Windows\System\HFnxLjb.exe
C:\Windows\System\HFnxLjb.exe
2⤵
- Executes dropped EXE
PID:368

C:\Windows\System\MRFeMyt.exe
C:\Windows\System\MRFeMyt.exe
2⤵
- Executes dropped EXE
PID:4376

C:\Windows\System\GnCklYQ.exe
C:\Windows\System\GnCklYQ.exe
2⤵
- Executes dropped EXE
PID:4144

C:\Windows\System\ptzoETj.exe
C:\Windows\System\ptzoETj.exe
2⤵
- Executes dropped EXE
PID:1384

C:\Windows\System\qThnJVl.exe
C:\Windows\System\qThnJVl.exe
2⤵
- Executes dropped EXE
PID:3364

C:\Windows\System\topJOnD.exe
C:\Windows\System\topJOnD.exe
2⤵
- Executes dropped EXE
PID:5052

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\DmyTiEy.exe

Filesize
5.2MB

MD5
42cf38be6188e76a63f63d0707b29a76

SHA1
db49b2e3f30ccea63d211c040a8002a17115f013

SHA256
7ffaf0a9f4aefc4a405804540dbbedd37d771e471f9c7ec5761965523e783bae

SHA512
691359e48062ef1cf3b61992f0e1ad67c35337b3ebc94fca6404654d7f33ca97debd00b237fd5481664e4035b58d68364a8b00a20fb4a482b1dd92400fab3140

Download Submit
C:\Windows\System\FTaexbL.exe

Filesize
5.2MB

MD5
f85ceffabba0a88c2a4fab5df91ca8fe

SHA1
406dda82605405cf76a84bb42284bd80b7acbb8a

SHA256
d796aaf09c7340cec088eed97dc09ea552a341bda4ec9377ba7a887ef13c29c6

SHA512
ed0b1e978dc81b892e80460c87bc2e62d36be6150d369695c8387d2270f64f1f1fe3f3e5f07b2473fb0fd8a99a1cbdca720a729d41a27f0c69223a3305776d5f

Download Submit
C:\Windows\System\GnCklYQ.exe

Filesize
5.2MB

MD5
294ad3a0a6d4a43c308c37ba3aac78b3

SHA1
1b5c63ddcc72a7597d838271846466521ebe10a7

SHA256
62ee91036d6ea80b06e01bd71b25399d20e8bd4db38a815f12fa067625c60a84

SHA512
9ed69510543eda8db6305fadfd4126ea7d2edd39d171139b75fca2e816021c85078b3fa64ae737630df28d0b95b2614ae6cddef22a5297a5f27380e4b8610fe9

Download Submit
C:\Windows\System\HFnxLjb.exe

Filesize
5.2MB

MD5
2537e5f28283006838fe53754be51a4a

SHA1
4cc0bbfa22a65cfbf518d022cd1177e214844de5

SHA256
83df1d9897d46fdc36a0305b575589cd0981940cd4a5100653002a268285b477

SHA512
757f5dbec57beca5300d49ddccf3f5dfeae15cc9ac0bd188de1af94280c14cb6ed4a5196f85dc2aa4679fd5c3c758b65e314e541143e30461664c47d2b5ee858

Download Submit
C:\Windows\System\IPXRGCg.exe

Filesize
5.1MB

MD5
5ea295cc31a0847144d008de08de86c5

SHA1
b6026a96de8d9add832452ca646612a2365a0909

SHA256
339cdfd36c5a4e82196d83dfcc2faf8077b2d11f39503810c05ed5db649a945f

SHA512
d59e8f5447c9505365d8c3fb9be948cb7467dc423db179a05ad04b3e353b46b5b7f198730865b68d88101aa49cf9a110099831a11e0e26b491c8635b1303c380

Download Submit
C:\Windows\System\IPXRGCg.exe

Filesize
5.2MB

MD5
28abd77bd20cf9c6801d53dc9879a53c

SHA1
8b6ce0a8783aafa47a8c130093a3f53a2b15ac63

SHA256
3a68af3e0de9a029cb940f2c417565a91ae4d7a93ec04f17dd89724508f9faaa

SHA512
15e08857117563a89fcf64fd56a55f37058ee9f0ab03ea60b7ccce20559c5940451b91244429dcf28594c081fdc6fbba462d69ed4ee86821573f3a5887253a71

Download Submit
C:\Windows\System\MRFeMyt.exe

Filesize
5.2MB

MD5
c7c1c487bcce397fa9f81ba52e2ee09f

SHA1
b3460aa720100ae0e3fa7101e8a0b48df956fcda

SHA256
a4e8d5066b3600858116a0d1e66389e40490ad13a32978ad1542d513d52d6839

SHA512
ed92ae5302261de38fa50c5be57ab56a771848e1ff78b3ec854a84f983643674d1256800c872bc1f8b942232486ded8f794b39eca4012568653ae6cc65d3d106

Download Submit
C:\Windows\System\MvxwsrQ.exe

Filesize
5.2MB

MD5
eaa4f4f5172ef9b0ac335d488db3a98d

SHA1
75aa2346d0ba93b2480533b2e2bc039636fb7dbb

SHA256
0d3c5a619535743a64b4dd6d91e2f72dc1fa9fd8f1a960ea75385b60f48a55b7

SHA512
c1639132019ea12ee203b3a33496a7b506c9a45cc30923370b141baee62f062417b64e85e90e6e89347064b62b7a2b4d9fb115b3a1f3f1d8463e6faff75d3d66

Download Submit
C:\Windows\System\UciGZTC.exe

Filesize
5.2MB

MD5
9dc1b533aa69abbeeebafbcd3ce9e949

SHA1
51139e4f4623c47a8788b93eb25dd127eca2ef4b

SHA256
2a2404e99872d427cbdfb6401ee40397b55874c37ece6189113727f443118371

SHA512
1fcd357f2b48b298638e027dd192c3cb20ad100cbce0e64a60bb2771716edc71365b6ae6276f6297fa74752791cdccc00211ee4e964206ed19d82e52c14202bf

Download Submit
C:\Windows\System\bjjNVVc.exe

Filesize
5.2MB

MD5
c8fbd3dd4025de257e5c29cf33f8f610

SHA1
757f1c3c19d2bcae86c2e82e506c48ba78fd70b4

SHA256
ad8bcc4d8744343704eab02e612b5ba0e4e110cb9e118e9419667ded1f945c88

SHA512
a7ab34a02f6dbe844eac723d923683b88e4ee25ff0bb5769fcf3ba091f209544637d34a4b810c4ffd7bde824642876b97a7f247a6e11434d7c8a2e61cc969663

Download Submit
C:\Windows\System\dVvAiHW.exe

Filesize
5.2MB

MD5
2e7be5ba6045f3c76c37f0d0adf47d5f

SHA1
b378ad7ebd56e486e15ca6a44f787f95fe7fae3f

SHA256
3c3bee8b0b3484b9edaea80f7d8406b4bed6a1fe436a6991941e70a7b448045d

SHA512
9fe4032859c4254b46663ed0ac1bc717df7fa3e57dd5ce0e8245c5d043648e14bb58fc17fd73184056e44e545dbde7c7100603c044cb36dcc309b26c6a0beb6b

Download Submit
C:\Windows\System\isLRlgm.exe

Filesize
5.2MB

MD5
680906c8d1a6cfc704cd0a8b4983661e

SHA1
4bfd00f9fc406fdf7c9dd7d3092f3edce3d58230

SHA256
2b37d21299aa811cb7ef43318bda7006017cbb549b2da4e46d8a23845b1d95f2

SHA512
3f64d8e04b9c2a70c9d357f448e188279f42a44211736dae331bf1ce249dfb88f136913d419703a151628bda21795b73bc4f35a336c431bbeec074a319be638c

Download Submit
C:\Windows\System\kGFyiDP.exe

Filesize
5.2MB

MD5
d176316532fb2089b09cf4195dfec958

SHA1
c747ab0595d0fee3758f24e4ca25bed82fa0fcee

SHA256
20f63c2c7c433e29cc582f64ca12e232569a410dcbf96113fee93eb9e194f87e

SHA512
01a2a3a382f32ea8c06385abb17d7d9adff2459d065c5dfd53b5e3d4856b6e35836ba841e9f8c243f5093c29814b527547e02aba89bf0ac4f43370c82ca20881

Download Submit
C:\Windows\System\kzPGKZV.exe

Filesize
5.2MB

MD5
5bfa99c09e367969efda975f61335da7

SHA1
01746d6e38fdd6d884c2232dbe04ff2c89695296

SHA256
378489f896ea2a6dc88479e805888271d6464f4e290009309a22b8f638e010c3

SHA512
b56577bbd0b3dfc50b3ebc5996c3795f6f1bdf6f8ae0b5e39ed889623e84645d7f552a9e4bc623267a7921e6ce1d3ed9b38eb26f2d574376c4d84be76860916a

Download Submit
C:\Windows\System\nXfYaSs.exe

Filesize
5.2MB

MD5
a11179c34b6a5daca0a553445fb5947c

SHA1
a4485296ba9ea24a0745686cb2ecae53886d3d71

SHA256
a59f1d8dcb88f6a1b4503e9deebc42ba10a1aa8d638816c504201115344577ca

SHA512
8ce288dfdd9861bd287301f160be36917bff1cff96232a5b9a15428d76b132e90b095886fe38277158a137881c18337708f332ff990f7c7e558119f0d6eb3568

Download Submit
C:\Windows\System\orTDJSX.exe

Filesize
5.2MB

MD5
f8043f1aaca3fd6fb7a35c9a8fdf70fb

SHA1
8484998f0c926a4c71a9b2e20d2029c90cf48281

SHA256
74c09dccff29b54375bc5752d8af1a9cc6cc9f920e0ed9e755056614cdcf2dbf

SHA512
30bec5827eea188b46ea299da9a1ea9057522f87d5708b3704da80d90b563dfec3eeffe82fb55701dbb6e4f8ec96b3ec2a5b69f76a8993289c3a6c347c8d9a5e

Download Submit
C:\Windows\System\pcBZtCO.exe

Filesize
5.2MB

MD5
d0f1283f092c703c4e071352c4e276de

SHA1
75aabcdee2170e4b86f44de7d50f01a704c8c92a

SHA256
effa5527c8a55b515cdd70779a0f914fde48677851a77b12e3b9ce1e94a2a11a

SHA512
39e35fa2802231cc3032acf61163e0292741fe5cc59957448c448967bd67634c17eafb640bf3b35aeb8d953c678f42cca2d666256c7116e2795b7a87ab8f9565

Download Submit
C:\Windows\System\ptzoETj.exe

Filesize
5.2MB

MD5
1c092e64722a57a80f963926a3a72b4d

SHA1
dc74a0f5c36c2070ee2a2ca71646cce1593ad7b2

SHA256
d47df42919991c7b793124af1041a60d4012d1be3d5951324bf718f0dacb99d8

SHA512
f05a8f9b5c0e035a6ba3300f59d0fbea5f2cfdc336054387d9d03aac2fcd73ac58efd54a148acaf4b6596903ab4d66e6cdc2c2b925e8dfe86414ad87750baea1

Download Submit
C:\Windows\System\qThnJVl.exe

Filesize
5.2MB

MD5
0127360c00e336faadc7b004f4f7f505

SHA1
ecc32c41d5a312b02044e07a340331bdf63dcd6d

SHA256
d87925df3afb4f786a13738eb3851b3c9f4f424a6df2ab840922dc6fba431013

SHA512
014ecab7833865f04fa844431cf92ec09565d64619aae6763993fbcd6975f26fcc64c98ca7955c7ca65d880608e97d91d2941084c25a7a60bfd76830e85d2da9

Download Submit
C:\Windows\System\raEMhML.exe

Filesize
5.2MB

MD5
9e3147abd8b7fe3f62ed3f48b5922f9a

SHA1
688d5cc1d80e1700aa570848ee4f2ff151a2a326

SHA256
0c9d0b0f17377a1f5a4240a23f81d43ba9811458983d075575464995583f36e9

SHA512
b7324818799a40f3e49751fba9c65222a73d7ea148e772a797ab820598b9eae07902f01d1ec298ce8f08b8977379d484d4e1b78111e7976ddc94293aeb8e076c

Download Submit
C:\Windows\System\topJOnD.exe

Filesize
5.2MB

MD5
1cbe177ea4d231b8f01ef79105106be6

SHA1
98e5f58e275f4573c614b6d516b81a984fbf8279

SHA256
4bb42cd9fc8d4eecd308603796e5aa4d2eb65eee2387ff22dee5059e982860d2

SHA512
0fcea248040f7b1a67d7216ff316613ec09293cf731ee57a36124660a597c2ae8e82783354890010512537ffaf7351c6a8d42a806d6ac01388c21071ca44e0d9

Download Submit
C:\Windows\System\xUzWTIq.exe

Filesize
5.2MB

MD5
6862cc7574b2881dab3481090d15aef3

SHA1
2592db795504fbab95c57fa09011b03458d08802

SHA256
62a34a0f3d42de060b53e9912be10947a5c37dbb78d4873e500612cfe4e1cb59

SHA512
9981c1959c9eeeb22eb11189045699a2b83878e3db23cba6e42c148503390cda4efd047e235be2b84e144cb594427ac17cabdb0fed86e4ef01e006b9e181428c

Download Submit
memory/368-231-0x00007FF7D36B0000-0x00007FF7D3A01000-memory.dmp

Filesize
3.3MB

Download
memory/368-124-0x00007FF7D36B0000-0x00007FF7D3A01000-memory.dmp

Filesize
3.3MB

Download
memory/408-70-0x00007FF7D1BF0000-0x00007FF7D1F41000-memory.dmp

Filesize
3.3MB

Download
memory/408-223-0x00007FF7D1BF0000-0x00007FF7D1F41000-memory.dmp

Filesize
3.3MB

Download
memory/408-141-0x00007FF7D1BF0000-0x00007FF7D1F41000-memory.dmp

Filesize
3.3MB

Download
memory/1040-11-0x00007FF71C8D0000-0x00007FF71CC21000-memory.dmp

Filesize
3.3MB

Download
memory/1040-197-0x00007FF71C8D0000-0x00007FF71CC21000-memory.dmp

Filesize
3.3MB

Download
memory/1040-76-0x00007FF71C8D0000-0x00007FF71CC21000-memory.dmp

Filesize
3.3MB

Download
memory/1064-75-0x00007FF74DF10000-0x00007FF74E261000-memory.dmp

Filesize
3.3MB

Download
memory/1064-1-0x0000021431370000-0x0000021431380000-memory.dmp

Filesize
64KB

Download
memory/1064-130-0x00007FF74DF10000-0x00007FF74E261000-memory.dmp

Filesize
3.3MB

Download
memory/1064-152-0x00007FF74DF10000-0x00007FF74E261000-memory.dmp

Filesize
3.3MB

Download
memory/1064-0-0x00007FF74DF10000-0x00007FF74E261000-memory.dmp

Filesize
3.3MB

Download
memory/1384-237-0x00007FF7BB250000-0x00007FF7BB5A1000-memory.dmp

Filesize
3.3MB

Download
memory/1384-127-0x00007FF7BB250000-0x00007FF7BB5A1000-memory.dmp

Filesize
3.3MB

Download
memory/1436-143-0x00007FF7B4130000-0x00007FF7B4481000-memory.dmp

Filesize
3.3MB

Download
memory/1436-79-0x00007FF7B4130000-0x00007FF7B4481000-memory.dmp

Filesize
3.3MB

Download
memory/1436-225-0x00007FF7B4130000-0x00007FF7B4481000-memory.dmp

Filesize
3.3MB

Download
memory/2924-219-0x00007FF71FC20000-0x00007FF71FF71000-memory.dmp

Filesize
3.3MB

Download
memory/2924-65-0x00007FF71FC20000-0x00007FF71FF71000-memory.dmp

Filesize
3.3MB

Download
memory/3004-78-0x00007FF6E7B20000-0x00007FF6E7E71000-memory.dmp

Filesize
3.3MB

Download
memory/3004-142-0x00007FF6E7B20000-0x00007FF6E7E71000-memory.dmp

Filesize
3.3MB

Download
memory/3004-244-0x00007FF6E7B20000-0x00007FF6E7E71000-memory.dmp

Filesize
3.3MB

Download
memory/3036-209-0x00007FF7B73B0000-0x00007FF7B7701000-memory.dmp

Filesize
3.3MB

Download
memory/3036-26-0x00007FF7B73B0000-0x00007FF7B7701000-memory.dmp

Filesize
3.3MB

Download
memory/3060-213-0x00007FF77A7A0000-0x00007FF77AAF1000-memory.dmp

Filesize
3.3MB

Download
memory/3060-38-0x00007FF77A7A0000-0x00007FF77AAF1000-memory.dmp

Filesize
3.3MB

Download
memory/3152-122-0x00007FF7A70C0000-0x00007FF7A7411000-memory.dmp

Filesize
3.3MB

Download
memory/3152-229-0x00007FF7A70C0000-0x00007FF7A7411000-memory.dmp

Filesize
3.3MB

Download
memory/3364-128-0x00007FF7A9E00000-0x00007FF7AA151000-memory.dmp

Filesize
3.3MB

Download
memory/3364-239-0x00007FF7A9E00000-0x00007FF7AA151000-memory.dmp

Filesize
3.3MB

Download
memory/3816-14-0x00007FF79F930000-0x00007FF79FC81000-memory.dmp

Filesize
3.3MB

Download
memory/3816-132-0x00007FF79F930000-0x00007FF79FC81000-memory.dmp

Filesize
3.3MB

Download
memory/3816-199-0x00007FF79F930000-0x00007FF79FC81000-memory.dmp

Filesize
3.3MB

Download
memory/3916-123-0x00007FF75D190000-0x00007FF75D4E1000-memory.dmp

Filesize
3.3MB

Download
memory/3916-228-0x00007FF75D190000-0x00007FF75D4E1000-memory.dmp

Filesize
3.3MB

Download
memory/4008-217-0x00007FF678690000-0x00007FF6789E1000-memory.dmp

Filesize
3.3MB

Download
memory/4008-138-0x00007FF678690000-0x00007FF6789E1000-memory.dmp

Filesize
3.3MB

Download
memory/4008-48-0x00007FF678690000-0x00007FF6789E1000-memory.dmp

Filesize
3.3MB

Download
memory/4144-126-0x00007FF6DDD10000-0x00007FF6DE061000-memory.dmp

Filesize
3.3MB

Download
memory/4144-234-0x00007FF6DDD10000-0x00007FF6DE061000-memory.dmp

Filesize
3.3MB

Download
memory/4204-215-0x00007FF77A500000-0x00007FF77A851000-memory.dmp

Filesize
3.3MB

Download
memory/4204-44-0x00007FF77A500000-0x00007FF77A851000-memory.dmp

Filesize
3.3MB

Download
memory/4204-137-0x00007FF77A500000-0x00007FF77A851000-memory.dmp

Filesize
3.3MB

Download
memory/4376-235-0x00007FF6AEBD0000-0x00007FF6AEF21000-memory.dmp

Filesize
3.3MB

Download
memory/4376-125-0x00007FF6AEBD0000-0x00007FF6AEF21000-memory.dmp

Filesize
3.3MB

Download
memory/4552-221-0x00007FF6604B0000-0x00007FF660801000-memory.dmp

Filesize
3.3MB

Download
memory/4552-66-0x00007FF6604B0000-0x00007FF660801000-memory.dmp

Filesize
3.3MB

Download
memory/4772-212-0x00007FF6BFA30000-0x00007FF6BFD81000-memory.dmp

Filesize
3.3MB

Download
memory/4772-135-0x00007FF6BFA30000-0x00007FF6BFD81000-memory.dmp

Filesize
3.3MB

Download
memory/4772-34-0x00007FF6BFA30000-0x00007FF6BFD81000-memory.dmp

Filesize
3.3MB

Download
memory/4948-25-0x00007FF737920000-0x00007FF737C71000-memory.dmp

Filesize
3.3MB

Download
memory/4948-207-0x00007FF737920000-0x00007FF737C71000-memory.dmp

Filesize
3.3MB

Download
memory/5052-241-0x00007FF673500000-0x00007FF673851000-memory.dmp

Filesize
3.3MB

Download
memory/5052-129-0x00007FF673500000-0x00007FF673851000-memory.dmp

Filesize
3.3MB

Download